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28 April 2017 


(U) On behalf of the National Reconnaissance Office (NRO) Office of 
Inspector General (OIG), I am pleased to submit this report on the OIG’s 
activities for the period 1 October 2016 through 31 March 2017. This 
report highlights significant findings and recommendations identified 
during the course of the OIG’s work, as well as OIG accomplishments, 
including organizational and procedural changes. The activities described 
in this report exemplify our continuing commitment to improving the 
efficiency and effectiveness of NRO programs and operations. 


(U) This reporting period saw OIG achievements that support and 
facilitate our mission of assuring effective stewardship of taxpayer dollars 
and preventing and detecting fraud, waste, abuse and mismanagement in 
NRO programs. Highlights include actions to implement our OIG 
Strategic Plan, and outreach efforts to disseminate OIG results to a wider 
audience, to encourage NRO staff to voice their concerns, and to 
communicate the OIG mission and values across the NRO. For example, 
we conducted our that builds on the (b)(3) 
success of our first effort in 2016. In addition, we issued our inaugural 
OIG Monthly Report to keep NRO management apprised of our work and 
accomplishments. In addition to these efforts, our Investigations Division 
is continually updating its case studies training courses to keep the NRO 
staff informed about the potential for fraud and its implications; creating 
posters designed to increase fraud awareness within the NRO workforce; 
and expanding its investigative network along the west coast of the 
United States. 


(U) We continue to enjoy a collaborative relationship with Director Sapp 
and with NRO’s leadership and workforce. Director Sapp and her 
management team are actively engaged in addressing open 
recommendations and implementing corrective actions. The OIG did not 
experience any issues related to access to NRO records or personnel. 











(U) I very much appreciate the cooperation and support of the Congress 
and its staff as we continue to effect positive change at the NRO. I 
would also like to thank the dedicated and professional NRO OIG staff for 
their continued hard work and commitment to providing effective 
oversight of NRO programs and operations. 


_ a, 





Susan S. Gibson 
Inspector General 
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(U) During this reporting period, the National Reconnaissance Office 
(NRO) Office of Inspector General (OIG) focused its oversight efforts and 
resources to address management challenges and issues of greatest risk 
within the NRO. Specifically, the OIG performed work on 24 projects, 
11 of which were completed and 13 are ongoing. The projects derive 
from previous NRO OIG annual work plans; address mandated 
requirements; respond to alleged violations of law, regulation, or policy; 
or evaluate emerging issues. The OIG's efforts enhanced the economy, 
efficiency, and effectiveness of NRO programs; assisted in detecting and 
preventing fraud and abuse; safeguarded taxpayer investments; and 
supported the mission of the NRO. 


(U) The NRO OIG had key internal accomplishments during this reporting 
period. For example, it began to carry out actions to implement its Fisca/ 
Year 2017-2021 Strategic Plar, expanded its outreach initiative by visiting 











initiated a monthly, internal OIG report; and (b)(3) 








expanded its efforts to increase NRO staff awareness of the potential for 
fraud and its implications. In addition to these accomplishments, the 
Inspector General (IG) advertised for and appointed a new Assistant 
Inspector General (AIG) for Audits when the long-time holder of that 
office retired.’ 


(U) IMPLEMENTING THE OIG STRATEGIC PLAN 


(U) In early Fiscal Year (FY) 2017, the OIG finalized a new Strategic Plan 
covering fiscal years 2017 — 2021, and began actions to achieve its 
strategic goals. For example, to address the OIG 
goal of improving its organizational capabilities, 
the OIG established a Leadership Development 
Working Group. The Working Group has re- 
energized the Shadowing Program, which will 
offer OIG staff with short-, mid-, and long-term 
opportunities to work outside their assigned 
Division or Office and is intended to increase OIG 
staff job satisfaction, increase opportunities for 
staff to learn from OIG leadership, and expand 
OIG staff leadership capabilities. Similarly, to 
address its goal of improving NRO programs and 
processes, the OIG is revising its annual planning 
process to (1) broaden the groups of 
stakeholders that provide planning input to the 
OIG, and (2) use the results of its data analytics work to support annual 
audit and inspection project selection. 


(U) Figure 1: O9G Strategic Plan 
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(U) Building on the success of its outreach efforts in 2016, the OIG 





conducted a second outreach proje ° The (b)(3) 
outreach team consisted of the Deputy IG and representatives from the 

Audits, Investigations, and Inspections Divisions. The outreach promoted 

the OIG's mission and increased the frequency of OIG interaction with the 

NRO site personnel beyond the standard joint inspection cycle. Activities 

included an OIG mission overview briefing, focus group sessions, and 

private interviews with site employees. Due to the success of the prior 

outreach initiative, the National Security Agency (NSA) OIG asked to 

participate in the NRO OIG’s 2017 outreach effort. 


(U) The OIG is also expanding its outreach efforts through a number of 
initiatives intended to disseminate OIG results to a wider audience, to 
encourage NRO staff to voice their concerns, and to communicate the 
OIG mission and values across the NRO. One initiative, a monthly report 
from the IG, included selected report highlights and encouraged staff to 
communicate with the OIG if they see something of concern, regardless 
of the scale of the concern. 





Zi rin ssibre Haskin lear (U) In addition, the OIG’s Investigations 

r Division has taken a number of actions to 
enhance its outreach efforts with the NRO 
community. For example, it updated its 
quarterly case studies training courses to 
keep the NRO staff informed about the 
potential for fraud and its implications. The 
courses are designed to have attendees 
think—not about policy, process, or 
requirements, but—about what fraud is, 
what to do when they see potential fraud, 
and most importantly, why it is so important 
for them to take action to combat fraud by 
contacting the OIG. 


(U) The Investigations Division also created two posters designed to 
increase fraud awareness within the NRO workforce. One poster is 
general in messaging, and the other specifically addresses non- 
conforming parts. These posters are the first two of a series based on 
investigative trends and concerns within NRO programs that will be 
created and released over the next several years. The posters are 
available to all NRO personnel and offices to include contractor locations. 
Within NRO facilities, the posters are also featured as electronic signage 
in hallways and common areas. 
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( U) Fiqure 3: OIG Outreach Posters 


“ (b)(3) 
(b)(3) 


(U) The posters are one element of the long-standi 
outreach program managed by the Investigations Division. The program 
develops investigative leads and sources, increases awareness, and is 
intended to deter fraud. Other activities within this program include the 
regular use of internal communiqués to the workforce and significant 
liaison with other NRO components and many federal and local law 
enforcement agencies. During the course of this reporting period, the 
OIG's Los Angeles Field Office has greatly expanded its investigative 
network along the West Coast. The Investigations Division also holds 
membership in several task forces and investigative working groups to 
include the Internet Crime against Children Taskforce and Operation 
Chain Reaction. 








(U) In addition to these outreach efforts, in March, 23 members of the 
OIG toured the Capitol and met with committee staff. NRO’s 
Congressional Affairs Office provided tour guides and support. The 
purpose of the outreach was to better understand the issues and 
perspectives of our oversight committees’ staffs and to deepen the OIG’s 
understanding of the workings of Congress. 
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(U) The inspector General Act of 1978, as amended, requires OIGs to 
report on the agency's significant problems, abuses, and deficiencies 
found during the reporting period, and on significant recommendations 
for corrective action to address those deficiencies. It also requires OIGs 
to report each significant recommendation described in previous 
semiannual reports for which corrective action has not been completed. 


(U) SIGNIFICANT FINDINGS AND RECOMMENDATIONS FOR THE 





CURRENT REPORTING PERIOD 


(U) The OIG reported one significant finding and made three significant 
recommendations during this reporting period. The significant finding 
and corresponding recommendations were associated with one report, 
Inspection of NRO Supervisory Control and Data Acquisition Systems 
(SCADA). 


(U//F Industrial Control Systems (ICS)/SCADA? systems and 
networks are the cyber component to facility-related systems such as air, 
power, water, and fire suppression. ICS/SCADA systems and networks 
manage and control the foundational activities essential to mission 
age . 5 
success. and are critical infrastructure assets.” | (b)(3) 




















(U/JFOYQ) Traditionally, ICS/SCADA systems and networks were (b)(3) 




















* (U) ICS/SCADA systems are used in utility infrastructures as computer-based monitoring and control systems. ICS is the umbrella 
term. SCADA is a component of ICS, but is more widely recognized and used than ICS or other ICS terms. For standardization 
_Durnoses, the report used the term ICS/SCADA. 
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(b)(1) 
(b)(3) 
(U) Third, NRO ICS/SCADA systems (b)(3) 
For example, national security systems may contain classified 
information or information that involves intelligence activities related to 
national security and require a high level of security; whereas, a federal 
information system, which does not contain classified information, ma 
require a lower level of security. | (b)(3) 
(b)(5) 
(b)(1) 





(U) The National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information 
Systems, defines National Security Systems as those telecommunications and information systems operated by the U.S. 
Government, its contractors, or agents, that contain classified information or...that involves intelligence activities, involves 
cryptologic activities related to national security, involves command and control of military forces, involves equipment that is an 
integral part of a weapon or weapon system, or involves equipment that is critical to the direct fulfillment of military or intelligence 
missions. The National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for 
Federal Information Systems, defines federal information systems as information systems used or operated by an executive agency, 
by a contractor of an executive agency, or by another organization on behalf of an executive agency. 
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(U) Table 1 includes details on Significant Recommendations #1, #2, 
and #4, which address these findings. The Director, NRO (DNRO) and 
Director, MS&O concurred with these recommendations. 


(U) TABLE 1: SIGNIFICANT RECOMMENDATIONS: 
OCTOBER 2016—MARCH 2017 


Recommendation __ Office _ Status 
(U/JPOSQ) Significant Recommendation #1 for the DNRO: | DNRO CLOSED 














i 








Estimated 
Completion Date 

(ECD): 

25 May 2017 (b)(3) 


(U//PSQ0) Significant Recommendation #2 for the DNRO-appointed MS&O 
MS&0/COMM ICS/SCADA Working Group/Coordination 


Committee/Program: 

















(U//PORR Significant Recommendation #4 for the DNRO-appointed | ECD: 
MS&0/COMM ICS/SCADA Working Group/Coordination _ 9 August 2019 
Committee/Program: 























Tabie is UNCLASSIF 


(U) STATUS OF PRIOR SIGNIFICANT RECOMMENDATIONS 





(U) In its prior semiannual report, the OIG reported three significant 
findings and made four corresponding recommendations to address 
them. During this reporting period, the NRO completed actions to satisfy 
one significant recommendation in its entirety, and part of another 
recommendation. 


~~ (S/TTRITREDTO-USA-RVEY) Each of the significant findings and 


corresponding recommendations in the OTG's nrior Semiannual Renort 
was associated with one report (b)(1) 
The status of these prior recommendations is shown in Table 2. (b)(3) 
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(U) SUMMARY OF COMPLETED AND ONGOING PROJECTS 


(U) Table 3 identifies the completed projects for this semiannual 
reporting period. Following the table are short descriptions of the 
conclusions and recommendations for each project. 


(U) TABLE 3: COMPLETED PROJECTS — OCTOBER 2016-MARCH 2017 


Tite ___Date Completed 
U) Final Memorandum Report: Audit of the Transition of the 

Hapa ea Facility a the National Reconnaissance Office 2) November 2016 

(U) Final Report: Audit of Project Management within the Ground 
Enterprise Directorate 

(WU) Memorandum Report: Inspection of 222nd Command and 

Control Squadron 

(U) Final Report: Audit of the NRO‘s Transition to an Enterprise IT 

Audit Capability 

(U) Office of Inspector General Audit of the National Reconnaissance 

Office Fiscal Year 2016 Financial Statements 

(U) Final Report: Inspection of NRO Supervisory Control and Data 

Acquisition Systems (SCADA) 

(U) Memorandum Report: Office of Inspector General Audit of the 

Acquisition Strategy Council Process and Activities 

(U) Joint Inspectors General Inspection Report: Aerospace Data 
Facility Colorado 

(U) Final Report: Inspection of the NRO Defense Civilian Intelligence 

Personnel System Performance Management Process 


30 November 2016 
5 December 2016 
6 December 2016 
19 December 2016 
28 December 2016 
18 January 2017 
8 February 2017 


17 February 2017 
























































| (b)(1) 
| 23 March 2017 (b)(3) 
(U) Final Report: Inspection of the 31 March 2017 (b)(3) 
Table is SECR TROL 
(U) COMPLETED PROJECTS — FINDINGS AND RECOMMENDATIONS 
(U) Final Memorandum Report: Audit of the Transition of the 
MOUNTAINVIEW Facility to the National Reconnaissance Office. 
(U//FONQ) The OIG found that 
(b)(3) 
(b)(S) 
(TS/7TRANG-First, the OIG found that Industrial Control 
Systems/Supervisory Control and Data Acquisition (ICS/SCADA) systems (by(4) 
(b)(3) 











By (©) Matters of Concern — MOUNTAINVIEW Facility, 28 April 2016. 
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(U) The OIG recommended that the NRO 
> (U//FOUG)document the determination of the NRO to (b)(3) 











>» (U77FOUQ) contingent on the NRO’s determination of the necessity of 

















» (U//FELO) implement coordination aa the ADF-C Office of 
Security and Counterintelligence an 

















(U) Final Report: Audit of Project Management within the 
Ground Enterprise Directorate. 


(U//FOUe.The OIG found that the Ground Enterprise Directorate (GED) 
project offices that adapted engineering, oversight, and monitoring 
practices to the complexity of their project development had positive 
interaction between the Government and contractor to attain project 
goals. 






































(U) The OIG recommended that the NRO 


> (U/7FOLQ) (1) expand adaptive software development training 
such that GED staff maintains the knowledge necessary to verify 
and validate the contractor teams are appropriately applying the 
adaptive development, skills, tools, and techniques throughout the 
project; and (2) implement collaboration tools among GED project 
teams and contractors to verify and validate that the teams 
understand and properly apply the principles throughout the 
projects (OPEN); 


> (U//FOXQLimplement and document government pre-determined 
control gates that complement and align with the nature of the 
development and software development methodology (CLOSED). 
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> (U//FONS}.conduct and document a reassessment of selected 
projects’ capability estimates and determine if adjustments of rate 
of progress and schedule are needed (OPEN); and 


> (U/TFOYQ) assess and document the WBS format and content for 
selected projects to determine the best approach for maintaining 
visibility of the products, services, and mission applications and 
enable effective tracking of cost, schedule, and performance 
(OPEN). 


(U77FEVQ) In addition, the OIG observed that the NRO| (b)(3) 

















expectations for project offices; 





> (U//FO¥OQ)assess its groups’ functional alignment and collaboration 
tools to ensure provisioning specifications are understood and 
properly applied; and 

> (U/7FO8Q) establish government pre-determined control gates that 
complement and align to the project offices’ capability development 
plans and procedures. 





(U) Memorandum Report: Inspection of 222nd Command and 
Control Squadron. 


CES) the OIG determined that (1) the 222™ Command and Control 
Squadron (CACS) is meeting or exceeding expectations; (2) the 222™ 

training program is robust, comprehensive, and surpasses NRO 

requirements; (3) the Memorandum of Agreement covering 

administrative support of the 222° CACS is overdue for review; (b)(5) 











The results of this 








inspection did not warrant any recommendations or considerations. 


(U) Final Report: Audit of the NRO’s Transition to an Enterprise 
IT Audit Capability. 














ii 
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and (3) limited resources challenge COMM, (b)(3) 








jaccomplishment of activities and milestones. 




















(U) Office of Inspector General Audit of the National 
Reconnaissance Office Fiscal Year 2016 Financial Statements. 


(U) The OIG contracted with the independent public accounting (IPA) 











firm of to audit the financial (b)(3) 
statements of the NRO for FY 2016. For FY 2016, the NRO received an 
unmodified opinion on its financial statements. also described (b)(3) 





one material weakness—inaccurate recording of funds to others 
expenditures—and made seven recommendations associated with that 
material weakness. NRO management concurred with the finding and 
recommendations. 


(U) Final Report: Inspection of NRO Supervisory Control and 
Data Acquisition Systems (SCADA). 


“TS7#NE In addition to the significant findina identified earlier in this 
report, the OIG found that (b)(1) 
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(U/JFONQ)_The OIG issued five recommendations, three of which are 
significant, as reported earlier in the “Significant Findings and 
Recommendations” section of this report. The remaining two 
recommendations are to 


> 











(U) Memorandum Report: Office of Inspector General Audit of 
the Acquisition Strategy Council Process and Activities. 


(U//FONQY The OIG determined that the Acquisition Strategy Council (ASC) 
is executed in accordance with NRO guidelines by providing the NRO 
Acquisition Executive and NRO senior leadership with sufficient insight 
into the acquisition strategy to assess whether the acquisition strategy 
will meet user requirements. Accordingly, the OIG curtailed its fieldwork 
and issued a memorandum report to identify areas wherein the NRO 
Corporate Secretariat may enhance the effectiveness of the ASC’s process 
and activities. As such, the OIG did not offer any recommendations. 








(U) Joint Inspectors General Inspection Report: Aerospace Data 
Facility Colorado. 


(U/7FONQ) Inspectors from the NRO OIG joined with Inspector General 
staffs from the NSA/Central Security Service; the National Geospatial- 
Intelligence Agency (NGA); the 25th Air Force; the U.S. Fleet Cyber 
Command; Director of National Intelligence; and the U.S. Army 
Intelligence and Security Command to conduct an inspection of the ADF-C, 
National Security Agency Colorado, and the National Geospatial- 
Intelligence Agency-Denver. This joint inspection included the evaluation 
of mission accomplishment, policy and guidance, and general climate. 
Functional review areas related to the NRO included command topics; 
intelligence oversight; mission systems and engineering; facilities and 
safety; resource programs; security; IT and systems; and training. 


(U/PONQ) With respect to the NRO, the OIG identified numerous 
findings as well as several commendable areas that other sites could 
emulate. It issued 60 NRO recommendations to the site, a number of 
which were closed prior to the issuance of the final report. The OIG also 
issued 40 recommendations to NRO headquarters elements. 


13 









TOP SECRET// OLE//NOFORN 
Approved for Release: 2018/08/16 C05109044 


—,__ 


pproved for Release: 2018/08/16 C05109044 


WP DELRCI// Day PAL TPRILEY J INU 






(U) Final Report: Inspection of the NRO Defense Civilian 
Intelligence Personnel System Performance Management 
Process. 


(U) The OIG found the NRO did not execute the FY 2015 Defense Civilian 
Intelligence Personnel System (DCIPS) End-of-Year Performance 
Evaluation Review or Reconsideration Processes in compliance with the 
Department of Defense (DoD) prescribed timelines. In addition, the OIG 
noted other matters of concern that may impact the overall effectiveness 
and value of the Performance Management Process including (1) a wide 
discrepancy between rating/reviewing officials and the NRO Performance 
Management Performance Review Authority (PM PRA) regarding 
consistency, understanding, and execution of the performance standards 
in rating decisions; (2) a lack of diversity representation on some 
Performance Review Boards (PRB) and Bonus Pool Panels, and (3) the 
lack of finalized NRO DCIPS performance management policies and 
procedures. 


(U) The OIG recommended that the NRO 


¥ 


W 


(U) issue and/or update internal DCIPS policies and procedures to 
align with DoD’s prescribed timelines and enforce those requirements 
(OPEN); 


(U) develop and document a process to enable the PRB and the rating 
and reviewing officials to address discrepancies prior to the PRB’s 
finalization of a change of rating (OPEN); 


(U) establish a minimum mandatory training and refresher training 
program focused on consistency, understanding, and execution of the 
performance standards in rating decisions (OPEN); 


(U//FOUR). establish metrics to measure the delta between 
performance evaluation ratings and PM PRA approved ratings, 
develop a plan to reduce the delta, and track the progress, with a 
goal of eliminating the ratings gap (OPEN); 


(U) determine diversity representation requirements for Performance 
Review Boards and Bonus Pool Panels (OPEN); 


(U) update relevant performance management processes and 
procedures accordingly (OPEN); and 


(U) finalize NRO DCIPS performance management policies and 
procedures (OPEN). 
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(U) Final Report: Inspection of 





























(U) The OIG recommended that the NRO 


> 











(U) perform a desk audit of to determine appropriate staffing 
level and mix required to fulfill mission requirements and implement 
recommended staffing changes if warranted. Deliver a written report 
to the OIG documenting the results (OPEN); 


(U) assign a subject matter expert to provide a technical review of 
contract deliverables prior to Contracting Officer Representative 
approval (CLOSED); 





(b)(3) 














(U/7FEHQ) fill the Deputy ec to ensure 
h 


appropriate government oversig D); 


(U) update and publish COOP-related policy and guidance, to include 
a substantive undate to the 























(OPEN); 





(U) update and publish the Strategic Plan/NRO COOP 




















ensuring changes are 





coordinated via TIER with the relevant NRO Directorates and Offices 
(OPEN); 


(U/) (A) officially update title, organizational structure, roles 
and responsibilities, and other relevant information within thi 
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website; (B) develop a written process to ensure that th 
website is updated regularly on at least a semiannual basis (OPEN); 


(U) officially update the _osition descriptions and associated 
NRO staffing documents (CLOSED); 


(U) update, coordinate, and publish the 




















Charter to reflect the current operating environment and 








requirements (OPEN); 


(U) implement and document a training program for members, 
to include initial and periodic training as COOP processes evolve. 
Include a mandated standard template for component COOP plans in 
the training package (OPEN); 


(U77FOUQ) develop and document a methodology to ensure 
assessments of component plans consider an enterprise focus so that 
all plans are integrated, do not conflict with other plans, an are 
identified, mitigated, and tracked. In addition, update th 

office’s internal procedures stating the will provide 
assessment results within a specific timeframe after the completion of 
assessments (OPEN); 


(U//PONQ) evaluate and document the need for MS&O to contract for 
additional resources to support NRO components i inuity plan 
development and mitigation of issues identified ee pee ene 
(OPEN); 


implement and document a process for coordinating/documenting 
eeting schedules/substantive agendas/minutes as well as 
continuity policy changes and continuity concerns/resolutions (OPEN); 


(U/7POUQ) implement and document a process for the development 
of and follow-through for NRO continuity performance metrics 
(OPEN); and 


(ULLE@UO) identify and address current concerns with the NRO 
MR/COOP Plan, to include (A) documenting a comprehensive process 









































[that gaps an iti 
(B) developing and documentin 
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(U) ONGOING PROJECTS - OVERVIEW 


(U) Table 4 identifies the ongoing projects for this semiannual reporting 
period. Following the table are short descriptions of the objectives for 


each project. 


(U) TABLE 4: ONGOING PROJECTS — OCTOBER 2016 — 


MARCH 2017 


Tite 


(U) Consolidated Facilities Operation and Maintenance Performance 


Audit 
(U) Audit of the National Reconnaissance Office Insider Threat 
Program 














(U) Inspection of NRO Mission Resiliency 

(U) Follow-up Inspection of the NRO Department of 

Defense Cadre 

(U) Evaluation of NRO FY 2016 Improper Payment Compliance 


3 
4 
4 
3 
i 
j 
i 
j 
i 
i 
i 
i 
i 
j 
i 











(U) Office of Inspector General Fiscal Year 2017 Independent 
Evaluation of National Reconnaissance Office Compliance with 
Federal Information Security Modernization Act 

(U) National Reconnaissance Office GEOINT-Financials Service 
Organization Controls Examinations 

(U) Office of Inspector General Audit of the National 
Reconnaissance Office Fiscal Year 2017 Financial Statements 


(U) Audit of Management Oversight of Federally Funded Research 
and Development Centers throughout the National Reconnaissance 


Office 
(U) Special Review of the National Reconnaissance Office 
Consolidated Facilities Operations and Maintenance Enterprise 
Procurement Contract 

(U) Audit of National Reconnaissance Office Supply Chain Risk 
Management 








Date Initiated 
22 April 2016 


4 November 2016 


31 October 2016 
5 December 2016 
13 December 2016 

26 January 2017 
6 February 2017’ 

6 February 2017 


7 February 2017 


7 February 2017 


8 February 2017 


21 February 2017 


2i February 2017 


10 March 2017 


(U) Consolidated Facilities Operation and Maintenance 
Performance Audit. Objective: Evaluate NRO’s oversight of the 
Consolidated Facilities Operation and Maintenance contractor 
performance; review how the NRO verifies the contractor's costs, staffing, 
and performance in accordance with contract requirements. 
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(U) Audit of the National Reconnaissance Office Insider Threat 
Program. Objective: Determine whether the NRO has established an Insider 
Threat Program that (1) complies with federal program requirements and 

(2) is positioned to prevent, detect, and deter insider threats. 




















(U) Inspection of NRO Mission Resiliency. Mission resiliency—to 
include space protection and ground resiliency—will be examined in 

a series of inspections. The objective of this first inspection is to 
determine the process, if any, used by the NRO to identify threats and 
risks to NRO’s two Mission Essential Functions (MEFs). The OIG will then, 
as appropriate, evaluate implementation of this process to determine its 
inclusiveness of the NRO enterprise and its effectiveness in identifying 
threats and risks that could inhibit execution of the two MEFs; and 
determine whether NRO programs are enhancing the enterprise’s current 
end-to-end resiliency posture, as required by the Director, NRO’s 
Strategic Program Brief. 





(U) Follow-up Inspection of the NRO Department of Defense (DoD) 
Cadre. Objective: Assess the NRO’s progress in such areas as the 
issuance of policies needed to provide necessary guidance and support to 
the NRO DoD Cadre and the determination of the NRO’s future workforce 
composition, to include size and skills mix. In addition, the inspection 
team will evaluate NRO DoD Cadre career and professional development 
programs, recruitment and retention processes, mobility opportunities, 
and rank-in-position versus rank-in-person advantages and 


disadvantages. 


(U) Evaluation of NRO FY 2016 Improper Payment Compliance. 
This evaluation is required by the Jmproper Payments Information Act of 
2002, as amended by the Improper Payments Elimination and Recovery 
Act of 2010 and the Improper Payments Elimination and Recovery 
Improvement Act of 2012. Objective: Fulfill requirements established by 
Office of Management and Budget (OMB) Circular A-123, Managements 
Responsibility for Internal Control, Appendix C, Requirements for Effective 
Estimation and Remediation of Improper Payments, and OMB Circular A-136, 
Reporting Requirements, for the fiscal year ended 30 September 2016. 
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(U) Office of Inspector General Fiscal Year 2017 Independent 
Evaluation of National Reconnaissance Office Compliance with 
Federal Information Security Modernization Act. Objective: 
Independently assess NRO compliance with Federal Information Security 
Modernization Act requirements, implementation regulations, and 
guidance; review compliance with laws and regulations related to the 
NRO information security program and practices; and follow up on the 
status of prior-year findings and recommendations related to information 
security. 





(U) National Reconnaissance Office GEOINT-Financials Service 
Organization Controls Examinations. Objective: Report on the 
fairness of the presentation of management's description of the GEOINT- 
Financials application and the suitability of the design and operating 
effectiveness of the controls to achieve the related control objectives 
included in the description. 











(U) Office of Inspector General Audit of the National 
Reconnaissance Office Fiscal Year 2017 Financial Statements. 
Objective: Determine whether the financial statements and related notes 
are presented fairly in all material respects, in accordance with guidance 
issued by the Federal Accounting Standards Advisory Board, OMB, and 
other authoritative guidance. The auditors will also review internal 
controls and compliance with laws and regulations, and follow up on the 
status of prior-year audit findings. 
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(U) Audit of Management Oversight of Federally Funded 
Research and Development Centers throughout the National 
Reconnaissance Office. Objective: Determine whether the NRO 
implemented additional management oversight controls of Federally 
Funded Research and Development Centers (FFRDC) based on the 
findings and recommendations of prior audits. 


(U) Special Review of the National Reconnaissance Office 
Consolidated Facilities Operations and Maintenance Enterprise 
Procurement Contract. Objective: Evaluate whether the Enterprise 
Procurement Contract provides the most economical method for NRO 
procurements of commercial goods. 


(U) Audit of National Reconnaissance Office Supply Chain Risk 
Management. Objective: The objective of this audit is to determine 
whether NRO Supply Chain Risk Management procedures are designed 
and implemented to ensure the integrity of the NRO supply chain. 
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(U//FO¥Q) The OIG Investigations Division conducts criminal, civil, and 
administrative investigations into alleged violations of federal law, 
regulation, and policies involving NRO funds, operations, and programs. 
During this reporting period, the Investigations Division produced 14 
Reports of Investigation, 11 of which the OIG referred to the Department 
of Justice (DOJ). DOJ declined prosecution and/or litigation for each of 
the referred cases. The OIG referred one of the 11 cases to local 
authorities who also declined prosecution. In aggregate, these cases 
identified and/or supported the recovery of over $1.4 million for the NRO 
or the United States Treasury.’° These investigative metrics were derived 

iled using the Investigation Divisions’ (b)(3) 

contains all electronic investigative 

records and is capable of providing the OIG with statistical reports 
regarding case categories, recoveries and actions, productivity, and other 
forms of compiled data used by managers. 


(U/PONQ) Of the 14 Reports of Investigation reported to the NRO, seven 
involved contractor employees reported by the OIG to the Office of 
Contracts (OC) exclusively for suspension and debarment consideration. 
The OIG reported these seven cases as Summary Reports of 
Investigation, which do not require a response as the NRO had already 
acted to recover lost funds and/or to remove the employees as 
warranted. Summary reports commonly involve lower levels of labor 
mischarging by contractor employees where the NRO and the company 
have come to terms regarding resolution contemporaneous to the OIG's 
investigation. In these cases, the OIG only publishes the report after 
verifying that the NRO has been made whole. The summary reports 
provide OC with the necessary findings of fact to consider suspension and 
debarment. During this period, the OIG also issued an eighth summary 
report regarding a GS-13 government employee involved in time and 
attendance abuse. The details are provided further in this section. 


(U//FOUO}The OIG reported the remaining six investigations as follows: 


>» A-senior Government employee" allegedly engaged in a conflict of 
interest; action pending before the NRO Office of General Counsel for 
determination. This case is detailed further in this section. 


>» Acontractor employee involved in computer misuse and labor 
mischarging; action pending. 

> A GS-12 government employee involved in time and attendance 
abuse; action pending. 




















10 (U/FOSQ) Approximately $1.15 million recovered was related to investigations concluded during the previous period, but for 
which settlement and recovery was finalized during the first half of FY 2017. 

'! (U) For purposes of this reporting, the term “senior Government employee” means — (A) an officer or employee in the executive 
branch (including a special Government employee as defined in section 202 of title 18, United States Code) who occupies a position 
classified at or above GS-15 of the General Schedule or, in the case of positions not under the General Schedule, for which the rate 
of basic pay is equal to or greater than 120 percent of the minimum rate of basic pay payable for GS-15 of the General Schedule; 
and “(B) any commissioned officer in the Armed Forces in pay grades 0-6 and above.” 
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» Two claims filed by contractors under the Whistleblower Protection 
Act found to be without merit. 


> Asenior Government employee alleged to have violated the Fly 
American Act. The OIG investigation did not substantiate the 
allegations. The OIG provided the report to the employee's 
management for informational purposes only. 


(U//PONQ) In the first half of FY 2017, the Investigations Division 
responded to 155 allegations. Figure 4 illustrates the types and 
percentages of these cases opened during this reporting period. These 
figures were generally consistent with the past reporting period with 
Regulatory/Administrative cases making up the majority of the complaints 
received. Many of these cases were addressed as referrals to NRO 
management when possible so that investigative resources could be 
applied to more critical matters such as gu/ tams, procurement integrity, 
public corruption, and non-conforming parts cases. While these 
significant investigations make up a small percentage of the total number 
of intakes, they are typically the most complex matters with the greatest 
potential impact to the NRO mission. 
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(U) FIGURE 4: SUMMARY OF ALLEGATIONS RECEIV Y TH 
NRO OIG INVESTIGATIONS DIVISION 
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*(U//POSQ “Other Crime” includes a broad category of alleged criminal wrongdoing reported to the 
OIG. Allegations that do not fall into the category of fraud, waste, and abuse affecting NRO 
programs are referred to the appropriate investigative agency. Other crimes subject to investigation 
by the OIG may include, but are not limited to, wire fraud, counterfeit and forgery of official 
documents, private conversion of NRO resources, or deliberate damage to NRO property. 


Figure is UNCLASSIFIED POCO. _ 


(U) SELECTED INVESTIGATION SUMMARIES 


(U//EONQ) The Investigations Division completed seven investigations of 
false claims by NRO contractor personnel during this reporting period. 
The United States Attorney’s Office (USAO) declined prosecution for each 
of these cases. Six of these cases were subsequently resolved as an 
administrative action by OC. In total, the six cases accounted for over 
$253,000 returned to the NRO. The seventh case involved a subject who 
the OIG initially investigated for both misuse of an NRO computer 
system, which involved potential sexual enticement of a minor, and labor 
mischarging. The investigation did not produce information sufficient for 
criminal interest by the USAO or local law enforcement. As a result, the 
OIG reported its findings to OC with a recommendation for administrative 
settlement to account for the contractor employee’s mischarging of labor 
to an NRO contract. The labor mischarging is valued at approximately 
$64,000, and a recovery and settlement is pending further action by OC. 
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(U) Particularly significant investigations include the following: 


> 


W 


(U) The Investigations Division completed an investigation involving 
an NRO senior Government employee who allegedly engaged in a 
conflict of interest when he inappropriately provided assistance to a 
personal acquaintance who was seeking a contract from the NRO on 
behalf of the acquaintance’s employer, a state university. The 
successful acquisition resulted in a personal benefit to the 
acquaintance valued at approximately n salary. The 
university subsequently gave the NRO senior Government employee a 
non-monetary award citing the financial benefits of the NRO contract 
as a partial justification. The employee also received dinner 
accommodations for himself and his guests valued at $281 and in 
excess of that which is permissible under the Code of Federal 
Regulations. The senior Government employee also failed to report 
that he had received an offer of employment from the university 
during the planning or performance of the contract. The OIG briefed 
the case to the Department of Justice, which declined interest in favor 
of administrative action by the NRO. The NRO Office of General 
Counsel's determination on this matter is pending. 


(U) The OIG completed an investigation of a GS-13 NRO Cadre 
employee working as a security officer who mischarged official time. 
The investigation identified that the employee had mischarged 652 
hours from 2012 through 2015 with an aggregate value of 
approximatel The NRO took action based on a preliminary 
review of the OIG’s initial information, at a time when the case had 
been declined for prosecution by the USAO, but before the final report 
with recommendation was complete. The NRO issued the employee a 
letter of reprimand and required repayment of to the 
government in the form of approximately 161 hours of annual leave. 
The employee was not required to reimburse the remaining 


(U) The OIG completed an investigation involving a GS-12 Central 
Intelligence Agency (CIA) officer assigned to the NRO as a project 
manager who mischarged time. The investigation identified that the 
officer had mischarged 868 hours from 2012 to 2106 with a value of 
approximately The USAO declined this case for prosecution. 
The employee has sincé pending 
based on the OIG’s recommendation for administrative action as 
appropriate. 


(U) The OIG completed two investigations filed under the Intelligence 
Community Whistleblower Protection Act. Both cases involved 
contractor personnel whose claims were found to be without merit. 
The OIG advised the complainants of the OIG’s findings and of their 
appeal rights. 
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(U) The inspector General Act of 1978, as amended, requires federal 
agency OIGs to review existing and proposed legislation and regulations 
relating to their agencies’ programs and operations. Based on these 
reviews, the OIGs are required to make recommendations in their 
semiannual reports concerning the impact of the legislation and 
regulations on (1) the economy and efficiency of programs and 
operations of their agencies and (2) the prevention and detection of fraud 
and abuse in programs and operations of their agencies. 


(U) The NRO OIG conducts such reviews and provides comments and 
recommendations to Congress, when warranted, through a variety of 
means including reports and coordination with the Council of the 
Inspectors General on Integrity and Efficiency (CIGIE). For example, 
during this reporting period the NRO OIG reviewed all pertinent draft 
legislation to include the Inspector General Empowerment Act of 2015 
and the Intelligence Authorization Act for Fiscal Year 2017. The OIG also 
submitted a legislative proposal for repeal of §8H(g)(1) of the Inspector 
General Act of 1978, as amended, which currently mandates annual 
reporting by the NRO OIG. 
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(U) FINANCIAL SYSTEMS COMPLIANCE 


(U) As required by the inspector General Act of 1978, as amended, this 
Semiannual Report provides information regarding the NRO’s compliance 
with the requirements of the Federa/ Financial Management Improvement 
Act of 1996 (FFMIA). Specifically, the FFMIA requires organizations to 
implement and maintain financial management systems that are 
substantially in compliance with federal accounting standards and with 
federal financial management systems requirements. 


(U) For FY 2016, the NRO OIG contracted witH to assess the (b)(3) 
NRO’‘s financial systems for compliance with applicable laws and 

standards as part of its Audit of the National Reconnaissance Office Fiscal 

Year 2016 Financial Statements. assessment disclosed no 

instances in which the NRO’s financial management systems did not 

comply substantially with the Federal financial management system’s 

requirements, applicable Federal accounting standards, or application of 

the United States Standard General Ledger at the transaction level. 
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_(U) PEER REVIEWS 





(U) The Inspector General Act of 1978, as amended, requires that OIGs 
report on peer reviews conducted during this semiannual reporting 
period. The purpose of a peer review is to determine whether an 
organization’s system of quality control is suitably designed and whether 
its staff is effectively implementing those quality controls and conforming 
to applicable professional standards. Generally Accepted Government 
Auditing Standards issued by the Comptroller General of the United 
States require that audit organizations performing audits, attestation 
engagements, or both, undergo a peer review at least once every three 
years by reviewers independent of the audit organization to determine if 
an appropriate internal quality control system is in place. Similarly, CIGIE 
established Quality Standards for Inspection and Evaluation 

(CIGIE Standards) for maintaining quality assurance that includes having 
external quality assurance reviews of audits, investigations, inspections, 
evaluations, and other OIG activities. 





(U) The CIA OIG, with assistance from the Defense Intelligence Agency 
OIG, is leading a peer review of the NRO OIG Audits Division. The 
objective of this peer review is to determine whether, for the period 
under review, the NRO OIG Audits Division’s system of quality control is 
suitably designed and whether the audit organization is complying with its 
system of quality control to provide it with reasonable assurance of 
conformance with applicable professional standards. As applicable, the 
peer review will also determine whether controls over monitoring of 
contracted audits performed by IPAs, where the IPA serves as the 
auditor, are suitably designed and complied with. 


(U) The peer review covers audit reports issued during the three-year 
period that ended 30 September 2016. Fieldwork has been completed, 
and the final report is expected to be issued during the next semiannual 
reporting period. 


(U) PEER REVIEW OF OTHER AGENCIES’ INSPECTORS GENERAL 


(U) The NRO OIG did not conduct any peer reviews of other agencies’ 
OIGs during this reporting period. 
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(U) The Inspector General Act of 1978, as amended, established Offices 
of Inspector General to create organizationally independent and objective 
units to support agency oversight, effectiveness, and accountability. To 
assist the OIGs in maintaining independence, CIGIE developed Quality 
Standards for Federal Offices of Inspector General,’? and the Government 
Accountability Office (GAO) established guidance for evaluating and 
ensuring the statutory independence for each OIG organization as well as 
the independence of individual staff members.”? In accordance with the 
CIGIE and GAO guidance on maintaining independence, the OIG has 
established significant controls to ensure that its staff members are “free 
both in fact and appearance from personal, external, and organizational 
impairments to independence.” 


(U) The NRO OIG encountered no threats to its independence during this 
semiannual reporting period. The OIG continues to maintain its 
independence while working cooperatively with NRO senior leadership, 
staff, and contractor personnel to carry out its oversight responsibilities. 


(U) One key to the OIG’s effectiveness is the cooperative working 
relationship it holds with the NRO leadership and staff. The Director, 
NRO; NRO leadership team; and staff continue to be forthcoming with 
information and access to records and other documentation the OIG 
needs to carry out its mission. In addition, the NRO leadership is actively 
engaged in addressing open recommendations and implementing 
corrective actions. 





12 (UY) CIGIE, Quality Standards for Federal Offices of Inspector General, August 2012. 
13 (YU) GAO, Government Auditing Standards 2011 Revision, GAO-12-331G, December 2011. 
‘4 (YU) CIGIE Quality Standards, August 2012, page 10. 
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(U) APPENDIX A: SEMIANNUAL REPORTING REQUIREMENTS 


(U) The National Reconnaissance Office (NRO) Office of Inspector 
General (OIG) conducts audits, inspections, investigations, and special 
reviews in accordance with the requirements of Jnspector General Act of 
1978, as amended. Those requirements include promoting economy, 
efficiency, and effectiveness; detecting and preventing fraud and abuse; 
and supporting the mission of the NRO. The Act also establishes 
semiannual reporting requirements that highlight activities and significant 
issues that arise during the reporting period that may be of interest to 
Congress. Table A1 identifies the semiannual reporting requirements 
and the location of the corresponding information in this report. 


(U) TABLE A1: SEMIANNUAL REPORTING REQUIREMENTS 


(U) Reporting Requirement 


SEC 4(a)(2) 
SEC 5(a)(1-2) 


SEC 5(a)(3) 


SEC 5(a)(4) 


SEC 5(a)(5) 
SEC 5(a)(6-7) 


SEC 5(a)(8-9) 


SEC 5(a)(10-12) 


SEC 5(4)(13) 


SEC 5(a)(14-16) 


SEC b(a)(1/-18) 


SEC 5(a)(19-20) 


SEC S(ay(21) 


SEC 5(a)(22) 





TOP SECRET) 





(U) Page 





Legislation and regulation review 


Significant problems, abuses, and deficiencies; 
recommendations for corrective action 















Prior significant recommendations not yet 
implemented 


Matters referred to authorities resulting in 
prosecutions and convictions 





N/A 


Summary of refusals to provide information 


List and surnmary of reports issued during the 
reporting period 


Tables showing questioned costs and funds that 
should be put to better use 





Summary of reports with no management 
decision; Description and explanation of revised 
management decisions; Management decisions 
with which Inspector General disagrees 


N/A 


Financial systems compliance with federal 
requirements 


Peer review reporting 








Information about investigative reports, referrals 





for prosecution, indictments, and a description of 
the supporting metrics 








Investigations of employee misconduct and 
descriptions of whistleblower retaliation 


Descriptions, if any, of NRO interference with 
OIG independence 


Descriptions of audits, inspections, evaluations, 
and investigations not disclosed to the public 


Table is UNCLASSIFIED 











oT 





N/A 
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(U) APPENDIX B: RECOMMENDATIONS OLDER THAN ONE YEAR 


(U) Table B1 summarizes all open recommendations described in 
previous National Reconnaissance Office (NRO) Office of Inspector 
General (OIG) semiannual reports for which corrective action has not yet 
been completed within a year of issuance. Details on each open 
recommendation are included in Tables B2-B12. 


(U) TABLE Bi: RECOMMENDATIONS OLDER THAN ONE YEAR 













Report Title Report Date _— Total Open 
(U) Augait of the Managemeni of Information 19 November 2010 > 1 


Systems Privileged Users 





(U) Audit of Chief Information Officer 
Management of National Reconnaissance Office 
Information Technology 


(U) Inspection of the Special Communications 
Office 


(U) Joint Inspection of Aerospace Data Facility 
East and National Geospatial-Intelligence Agency- _ 
Franconia 





20 December 2013 











8 February 2014 














11 February 2014 





(U) Inspection of the Survivability Assurance 


Office (SAO) 


(U) Audit of NRO Cyber Incident Detection and 
Response 





3 November 2014 





17 December 2014 10 5 





25 March 201559 (b)(3) 











(U) Final Report Audit of the National 
Reconnaissance Office Management of the Silver  29September 2015 = 8 1 
Eagle Contract 
(U) Joint Inspection of Aerospace Data Facility 


Southwest and National Geospatial-Intelligence 30 September 2015 
Agency Southwest : 

















(U) Inspection of the Mission Integration 
Directorate’s Support to Users 








29 October 2015 9S 


(U) Suspension of Joint Inspection of the NRO 
SIGINT Compliance Program 





12 February 2016 
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(U//FOUO) Table B2: Audit of the Management of Information Systems Privileged 


Users 


Recommendation 


Becca 

















( 
( 








: Office _ Status 

| COMM i UPFSLQ). COMM nes established and communiceted an 
i | enterprise-wide module for centralized Privieged User 
b)(3) 

b)(5) i Initial ECD: September 2013 


i Current ECD: June 2017 


ine 





(U) Table B3: Audit of Chief Information Officer Management of National 
Reconnaissance Office Information Technology 


Recommendation 


(U//POSQ Recommendation #2 for the DNRO: Direct 
and ensure that CIO, the Systems Engineering Directorate 
(SED), Business Plans and Operations Directorate (BPO), 
and the Office of Policy end Strategy (OP&S), in 
coordination with other Directorates and Offices as 
appropriate, establish clear and authoritative lines of 
information technology (17)-related roles, responsibilities, 
ownership, and accountability by updating relevant NRO 
policies, directives, instructions, governance plans, and 
Letters of Instruction to clarify the CIO's responsibilities. 


(U//FO Recommendation #5 for the CIO: Review and 
update the investment management Concept of 
Operations (CONOPS) to ensure that the investment 
management process aligns with federal guidance and 
best practices. 


commendation #7 for the e— | 





Office 
Director, NRO 
(DNRO) 
delegated to 
COMM/CIO 


Status 
(U//FOBQY.COMM/CIO has satisfied the recommendation to 
update relevant IT-related documents under its purview (NRO 
Business Function 50). This recommendation remains open 
pending receipt and review of the updates to the NRO 
Business Function 10--currently being coordinated by the 
Corporate Secretariat (CS) as part of the transition of 
acquisition oversight responsibilities. According to the CS, the 
updates are completed and awaiting final review and 
signature. 


initial ECD: June 2015 
| Current ECD: December 2017 


(U//PS8Q) COMM/CIO has satisfied the recommendation to 
| update the CONOPS. However, the updated CONOPS refers 

| to NRO acquisition policies and instructions that have not 

| been updated per recommendation #2. This 

' recommendation remains open pending receipt and review of 
: the updates to the NRO Business Function 10--currently being 
: coordinated by the Corporate Secretariat (CS) as part of the 
transition of acquisition oversight responsibilities. According 

; to the CS, the updates are completed and awaiting final 

| review and signature. 


i Initial ECD: September 2015 
| Updated ECD: March 2016 
| Current ECD: December 2017 


(U//P On 19 January 2017, COMM/CIO provided the 
OIG with updated status information indicating thal itis 
making progress toward addressing this recommendation, 
Additonal information will be fortacoming. 












COMM/CIO 


















inftial ECD: April 2015 
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(U) Table B4: Inspection of the Special Communications Office 









Recommendation on, Office Status 
(U/JEOO) Recommendation #12 for the Director, Special Sco (b)(1) 
Communications Office (SCO). Review all External (b)(3) 


Agreements (EA) for currency and relevance. Work with 
OPS t update and convert Memoranda of Agreement to 
interagency Agreements as appropriate. 











(U) Table B5: Joint Inspection of Aerospace Data Facility East and National 
Geospatial-Intelligence Agency-Franconia 


Recommendation Office 


) Recommendation ADF-E/NGA-F-12-131: Mission 
Establish or update a written process for timely reporting Operations 
and reimbursement for supplies and services in Directorate 
accordance with the NRO/National Geospatial- Intelligence (MOD) 


Agency (NGA) (b)(3 


_ Status 


(U/JPOS@L The agreement is still in draft form. NRO and 

NGA are in the process of resolving one outstanding issue 
unrelated to this open recommendation. Resolution of the 
outstanding issue is anticipated in June. 


Initial ECD: July 2014 
Updated ECD: June 2017 


(U//POUSL.NRO Directive 10-2 is undergoing hardcopy 
coordination for Principal Deputy Director, NRO signature. 
Coordination of the package is on hold due to the Office of 
General Counsel concerns with language. The associated 
NRO Instructions (NI) (NI 10-2-1, Real Estate Acquisition 
and disposal, and NI 10-2-2, Maintenance, Repair, 
improvement, and Construction Acquisition) were submitted 
to Corporate Secretariat in January and are expected to be 
processed for action officer review late March. OIG expects 
formal approval process with Ds and Os to be completed by 
the summer of 2017. 


Initial ECD: July 2014 
Current ECD: August 2017 




















(UFOS Recommendation ADF-E/NGA-F-12-205: 
Finalize and publish NRO Directive (ND) 10-2, Facilities 
Acquisition Planning and Execution and associated NRO 
Instructions. 


Table is UNCLASS 





(U/ /FOUQ) Table B6: Inspection of the Survivability Assurance Office (SAO) 


Recommendation 


(U//FODS) Recommendation #36 for the DNRO: Task 
SED with the responsibility to ensure that protection and 
resiliency ere addressed as a part of requirements/design 
reviews for each maior system acquisition. 


Office Status 


DNRO (U) Op 22 September 2016, SED completed NRO wide 
review of the draft NRO Directive (ND) 130-6, NRO 
Architecture Resiliency. In ifs current form, some 
comments could not be adjudicated thus the draft 
document requires rewriting. An updated, draft ND wil 
require another round of internal SED review, Once 
approved within SED, te updated, drat ND will be released 
for NRO review and approval. Estimated completion cate to 
obtain NRO review and approval and to subsequently 
publish ND 130-6 is 31 December 2017. 





Ss 
S 
g 
S 
: 
Oy 


Current ECD: December 2017 
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(U) Table B7: Audit of NRO Cyber Incident Detection and Response 













Recommendation ; Office Status 


(U//POUS}Recommendation #2 for the Director, COMM: == = = COMM (0) COMM has requested closure, The OIG is currenty 
Ensure that reviewing the documentation provided to determine 


whether COMM has met the intent of iis 
in accordance wilh Intelligence Community recommendation. 

Standard (1CS) 502-01 and Intelligence Community 

Directive (ICD) 502. 


__(U/TPDHG) Rerommendation #3 for the Director_ COMM: 

























(b)(3) 





Intiel ECD: March 2015 
Current ECD: [TBD 


(U7TPRLQ) The COMM/NISP 





























(b)(3) 





Initial ECD: December 2016 
Currant ECD: line 2017 





(UTFOUGL.Recommendation #6 for the Director, COMM 



























initial ECD: December 2015 
Current ECD: TBD 










































whether COMM has met the intent of this 
recommendation. 


comm | (U// COMM ig 
ICD 502. 
(b)(3) 
(b)(3) | 
| Ynitial ECD: Apr 2015 
| Current ECD: March 2019 
C7 i for the Director, | (U) COMM has requested closure. The OIG is currently 
COMM: : reviewing the documentation provided to determine 





Inficl ECD: Apri 2015 
) CunenLECD: [BD 
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(U) Table B9: Final Report Audit of the National Reconnaissance Office Management 
of the Silver Eagle Contract 





















































Recommendation : Office _ Status 
(U/JPONG} Recommendation #10 for the Director, COMM | COMM | (U//PORAThe OIG met with COMM on 28 and 29 
in coordination with the Director, OS&CI: Develop and i i March 201/ to discuss the COMM acti ne 
implement a risk mitigation plan te comply with NRO and { i recommendations. COMM provided (b)(3) 
contract requirement to i i 
A, monitor Silver Eagle activities; and : 
(b)(3) | | qnitian ECD: June 2016 


i Current ECD: December 2017 
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(U) Table B10: Joint Inspection of Aerospace Data Facility Southwest and National 
Geospatial-Intelligence Agency Southwest 


Recommendation Office _ Status 











MOD/MS&O —_— (4) The ADF-SW Commander and the USAF continue 
2 to work in coordination with NRO/OP&S to update tne 
(b)(1) 


(b)(3) 

























= the OIG is due 19 April 2017. “his recommendation 
ins open pending receipt of the finalized 














Inal ECD: March 2017 
Current ECD: August 201/ 


(U) MOD is working with the NRO Innovation Centers 
: on the guidance to be included in NBF-60/ND 60-1. 

| MOD’s next status to the OIG is due 19 April 2017. 

| This recommendation remains open pending receipt 

| of approved directorate-level guidance and/or policy 
for all of the NRO Innovation Centers. 


Current ECD: March 2017 


(U//POSQY Recommendation ADFSW-15-2004 for D/MOD MOD/MS&O b)(3 
Develop and publish directorate level guidance and/or continue to work with ( ( ) 
licy fo MOD to develop and publish directorate level 
' guidance and/or policy for NRO Enterprise 
oF inclusion in : Collaboration. s in the process of milestone (b)(3) 
| development and anticipates an ECD NLT 
(b)(3) | 31 December 2017. MOD's nexé status to the OIG is 
' due 19 April 2017. This recommendation remains 
: open pending receipt of approved directorate-level | 
: guidance and/or policy for 














(U/FPORe) Recommendation ADFSW-15-2002 for D/MOD 
Develop and publish directorate-level guidance and/or 
policy for all of the NRO Innovation Centers for inclusion 
in the NBF 60 and/or ND 60-1. 


MOD/MS&O 
































the NBF 60 and/or ND 60-1. 











(b)(3) 











Ine ECD: March 2017 
: Current ECD: December 2017 


| (U) NROC is currently rewriting the NI 60-1-1 

: document. MOD’s next status to the OIG is due 

: 19 April 2017. This recommendation remains open 

i pending receipt of the approved updated NI 60-1-1 

| that contains the clarified definition and intent of the 
| term “event awareness.” 


! Initial ECD: February 2017 
Current ECD: July 2017 


(U//FOUS} Recommendation ADFSW-15-2006 for D/MOD (U) NROC is currently rewriting the NI 60-1-1 

In NI 60-1-1, define a long-term system outage, the document. MOD’s nexd status to the OIG is due 

frequency of required updates, and to whom the updates 19 April 2017. initial ECD changed to include Une for 

Wil be reported. coordination. [his recommendation remains open 
pending receipt of the approved definition of a ong. 
term system outage, the frequency of required 
updates, and to whom the updates will be reported 
contained in finalized NI 60 1-1. 


+ inflal ECD. February 2017 
. Current ECD: July 2017 









(U/JPOSa_Recommendation ADFSW-15-2005 for D/MOD 
In NI 60-1-1, clarify the definition and intent of the term 
“event awareness” in association with submitting written 
SITREPs. 


MOD/MS&O 
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(U) Table Bi1: Inspection of the Mission Integration Directorate’s Support to Users 


Recommendation Office _ Status 
(UU commendadion #12 for the Director, MID i (UFONOMID delivered a consolidated NRO response 


i fo the House Permanent Select Coniniittee oni 

i intelligence request reaarding the Intelligence 

i Authorization Act for Fiscal Year 2017 actions on 

i Support to Users. MID also provided O1G with NRO 

i Outreach and Engagement Goals and Objectives to 
satisfy the qualitative needs. MID intends to develop a 
detailed pian for quantitative metrics development 
including schedule, budget, and deliverables by the end 
of this year. 

Inital ECD: December 2017 

(U) Director, MID signed NRO Business Function 140, 
Customer Engagement and Support, NBF 140 in 
November 2016. NBF 140 set the framework for 
updating the remaining governance documents, which 
are expected to be completed in June. 


Initial ECD: August 2016 


MID: Establish and document measures of program 
performance (rat are important to identifying program 
vsks and successfully achieving the user engagement 
mission (e.g., monitoring/assessing staffing levels and 
requirements). 


oe 


(U/7PORSA Recommendation #ic for the Director, MID: 
Update NI 140-1-1 and NI 140-1-2 based on the 
evaluation of the CIS tool for continued use. 


MID 


teen rene enn n eens mmint mmm mete mm mmitn mieten mein mri 


teen eee e enone eeeeeneenneend ie aunaanaanuanne an 
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(U) Table B12: Suspension of Joint Inspection of the NRO SIGINT Compliance 
Program 


Recommendation Office _ Status 

(Uae recommendation #1 Gor NRO and NSA OGC i (0) NSA OGC and NRO OGC collaborated and submitted 
Offices of General Counsel, in coordination with Director, i a response fo both agencies. GIGS return response 
NRO/Off ce of Policy and Strategy and Chief, i indicated that the message requires further clarficauon 
NS Clarify the and new terms need to be defined. NRO OGC will re- 
concepls, terns, and DArases associated with the engage NSA OGC to inivate another canfication effor 
overnead SIGINI activites found in Annex A and outlined and respond in June 201/. 

in Foding 1 of nis memorandum. isa ECD: dune 2076 


(U) FINDING 1: Various concepts, phrases, and terms 
id lind : J clarificati 



















(b)(3) 





oh i i i i i i 





me ia i i i i 


Beene eee ne nnn enennnn 
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(b)(3) 
| (b)(5) 
(POU) Recommendation #2 (for NRO and NSA OGC 
Offices of General Counsel, in coordination with Director, | 
NRO/Office of Policv anc Strateny and Chief, 
NS Add to Annex A i (b)(3) 











(or supplemental documentation) explanations of the 
terms and phrases associated with overhead SIGINT 
activities outlined in Finding 2 of this memorandum. 


(U) FINDING 2: Explanations of the following terms are 
not found in Annex A but are needed. 

















i June 2017. 
Initial ECD: 30 December 2018 


(by(3) 
(b)(5) 








(U//FOUG) Recommendation #3 (or NRO and NSA 
Offices of General Counsel in coordination with Director, 
NRO/Office of Policy and Stratecy and Chief, 

NSA/ Clarify the 
applicability GF AG approved Procequres tO overhead 
SIGINT activities as they apply to the NRO outlined in 
Finding 2 of this memorandum. 

(UPOSQ) FINDING 3: Guidance regarding the 
applicability of AG-approved procedures to overhead 
SIGINT activides needs clarification. 


(U// NSA OGC and NRO OGC collaborated and 

i submitted @ response to beth agencies. OlG’s return 
response indicated that clarification is required and that 

the guidance provided by Section 3.5 of the DoD 
5240.M should be considered. NRO OGC will review 
this guidance and respond in June 2017. 


initial ECD: 30 June 2019 




















(b)(5) 














B (UTPPRSO) Are the following SIGINT or non-SIGINT 
missions’ Do the AG- approved procedures apply to these 
missions? Why? 


no tn a oS SSS SSS SS SaaS SSS aaa Sasa Sasa aa aaaeaaaaaaaeseseseees 















(b)(3) 





C, (U//POs@ids the NRO part of the USSS? If so, what 
ere he ciecumstances under which this eccurs? What 
effect does Uils have on NRO? On overhead SIGINT 
acuvidies? 






KURU AWUU RU KU MWA eU RW Kb Rane ene Wibmunbnwnnnunbnemenennannunenemuneennnnenenemencewnonumenemencneaene mene ne ——— ene ne meme ne nnn ene mn enn n enn n nen wenn ne nnn n enn enn n enna ene n ne nn enna eee n= = === === 


tm i i i 
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